InstaAgent Removed From iTunes, Google Play For Data Theft

A software developer has discovered that a leading free app on iTunes and Google Play has been sending people’s usernames and passwords to an unknown website.

The malicious app is called InstaAgent, and is touted as an Instagram client. It is also reportedly the most downloaded free app in the UK and Canada.

Data Theft

InstaAgent touts itself as an app that allows the user to see who has viewed their Instagram account. When a user downloads the app, and enters their account information (including usernames and passwords), the app sends these details, unencrypted, to a third-party server, according to the Guardian newspaper.

The discovery of its data stealing activities was made by developer David Layer-Reiss of Peppersoft, who tweeted his warning about the app.

“Who Viewed Your Profile  #Instaagent will send your Instagram Username and Password to an unknown server!,” he warned.

InstaAgent was available on the iTunes store and Google Play Store. Both websites have since removed the app, but not before it was downloaded by thousands of unsuspecting users. Indeed, Google indicates that the app has been downloaded between 100,000 and 500,000 on Google Play.

Instagram users who used the app should therefore consider their Instagram passwords compromised.

Red Faces?

And at least one security expert has noted how both Apple and Google seemed to have been duped by this app, but he said that both firms will no doubt examine how the app managed to bypass their respective screening processes.

“It’s certainly unusual for both the Google and Apple app stores to clear scamware like the InstaAgent profile viewing app, especially given that profile viewing scams have been around for a while and should be pretty well known to the human screeners at these app stores,” commented Tod Beardsley, security research manager at Rapid7.

“With the notable exception of the professional networking site LinkedIn, most social media platforms do not offer this “reverse stalking” capability, but this doesn’t stop the hopeful from trying an app that promises to deliver on impossible functionality,” said Beardsley.

“While the direct motive for the malicious app developer was to spread spam links via hijacked Instagram accounts, he now has a library of about a half a million username and password combinations,” Beardsley said.

“Since people routinely reuse passwords for various social media sites, we recommend that anyone who mistakenly installed the InstaAgent app immediately change not only their Instagram password, but also the password for any other site where they use the same password, as well as any password that is similar enough that it could be easily guessed,” he added. “For example, many people use “unique” passwords that incorporate the site’s name or an easy mnemonic, like “password.Insta” or the like. It wouldn’t be difficult to surmise that someone who used that password might also use “password.Twit” for Twitter.

Beardsley also pointed out that as the passwords were transmitted in the clear (i.e. not encrypted), there is no telling who else also had the opportunity to collect this sensitive data.

“While the availability and popularity of this particular piece of scamware is notable, I’m positive Google and Apple reject countless similar apps routinely, and I’d expect they’ll be taking this failure in their screening process as a learning opportunity to find out what they could have done to catch it in the first place,” said Beardsley.

Are you a security pro? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

TikTok ‘Halts E-Commerce Expansion Plans’

TikTok reportedly scraps plans to expand TikTok Shop livestream commerce in Europe and US after…

1 hour ago

European Parliament Passes Landmark Tech Regulations

European Parliament votes to adopt Digital Markets Act and Digital Services Act, but campaigners warn…

2 hours ago

Indian Economic Police Raid Offices Of Smartphone Maker Vivo

Indian economic crime agency Enforcement Directorate raids dozens of locations across India belonging to China's…

4 hours ago

French Music Service Deezer Slumps On Market Debut

Spotify and Apple Music competitor Deezer falls below opening price after long-delayed IPO in Paris…

4 hours ago

Foxconn Expects Stronger Sales In Spite Of Economic Gloom

iPhone manufacturer Foxconn revises full-year expectations upward amidst strong consumer and data centre demand, bucking…

5 hours ago

Samsung ‘To See Profits Jump’ On Data Centre Demand

Industry analysts expect Samsung's profits to jump 15 percent for the second quarter as strong…

6 hours ago